用ModSecurity启动WAF的一次小试
在 CfgMgmtCamp
期间,我参加了FranziskaBühler(@bufrasch)主题为《 WAF——您的
DevOps pipeline
的朋友?
》的演讲。她谈到了Web应用程序防火墙(WAF)和 OWASP
的核心规则集(CRS)。
考虑到我自己经历的这类安全性事件,我决定尝试使用ModSecurity启动Web应用程序,并在我自己的测试环境中运行。
我的测试环境由一台NGINX的CentOS8设备组成,结果比我想象的要难一些。
ModSecurity模块是Apache Web服务器的标准可用模块,我本来应该选择它的。但是我喜欢挑战,所以就换成了CentOS8和NGINX。
在网络上搜索时,我发现了一些资源,虽然不是全部,但是对我有很大帮助,这里给大家参考一下。
启用PowerTools存储库
由于所有配置均在CentOS8上进行,因此所有开发工具都必须可用,在此需要启用PowerTools存储库。
dnf config-manager --set-enabled PowerTools
并且需要很多开发工具
dnf -y install \
autoconf \
automake \
GeoIP-devel \
bison \
bison-devel \
curl \
curl-devel \
doxygen \
flex \
gcc \
gcc-c++ \
git \
libcurl-devel \
libxml2-devel \
lmdb-devel \
lua-devel \
openssl-devel \
ssdeep-devel \
yajl \
yajl-devel \
zlib-devel
获取所有资源
现在所有软件都已安装到位,设置一个可以使用的环境。请注意,因为这是一个测试环境,所以没有sudo使用,一切都以root身份完成。
cd mkdir owasp cd owasp
然后下载所有资源。需要GeoIP2,因为GeoIP将很快被弃用,下载后并与NGINX一起安装。
wget https://nginx.org/download/nginx-1.17.8.tar.gz wget https://github.com/SpiderLabs/ModSecurity/releases/download/v3.0.4/modsecurity-v3.0.4.tar.gz wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.2.0.tar.gz -O CRS_v3.2.0.tar.gz git clone --recursive https://github.com/maxmind/libmaxminddb git clone https://github.com/SpiderLabs/ModSecurity git clone https://github.com/SpiderLabs/ModSecurity-nginx git clone https://github.com/leev/ngx_http_geoip2_module
MaxMin library
ModSecurity库和ModSecurity模块都需要libmaxmin,因此首先
cd libmaxminddb ./bootstrap ./configure make make check make install cd ..
配置并安装modsecurity库
而之后libmaxmin的modsecurity库
tar -xvf modsecurity-v3.0.4.tar.gz cd modsecurity-v3.0.4 ./configure --with-lmdb --with-maxmind=/usr/local make make install cd ..
配置并安装modsecurity模块
现在modsecurity库已可用,创建模块
cd ModSecurity sh build.sh git submodule init git submodule update ./configure --with-lmdb --with-maxmind=/usr/local make make install cd ..
棘手的一点
为了使NGINX能够接受并加载模块,必须使用与已安装的NGXINX完全相同的配置选项来编译它们。这些可以通过nginx -V命令确定。
但是不知何故我这里无法正常工作。我尝试了所有可能找到的选项,但一直会遇到binairy不兼容错误。因此,我决定也从头开始编译NGINX。当然,这具有以下缺点:NGINX无法再通过packagemanager进行升级,但是由于模块和nginx二进制文件之间的严格匹配,已经无法实现。我想确保自建nginx内容不会干扰系统的其余部分,因此我将所有内容都放入/usr/local/nginx。首先,我采用了配置选项,利用安装的NGINX,最后得到了:
tar -xvf nginx-1.17.8.tar.gz
cd nginx-1.17.8
./configure \
--prefix=/usr/local/nginx \
--sbin-path=/usr/local/nginx/sbin/nginx \
--modules-path=/usr/local/nginx/modules \
--conf-path=/usr/local/nginx/etc/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--http-client-body-temp-path=/var/cache/nginx/client_temp \
--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
--user=nginx \
--group=nginx \
--with-file-aio \
--with-threads \
--with-http_addition_module \
--with-http_auth_request_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_mp4_module \
--with-http_random_index_module \
--with-http_realip_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_sub_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_ssl_module \
--with-compat \
--with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -DNGX_HTTP_HEADERS' \
--with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed'i \
--add-dynamic-module=../ModSecurity-nginx \
--add-dynamic-module=../ngx_http_geoip2_module
make
make install
cd ..
useradd -m -c'nginx' nginx
mkdir -p /var/cache/nginx/client_temp
chown nginx:nginx /var/cache/nginx/client_temp
配置ModSecurity
nginx被编译并安装到modsec即可,ModSec(SpiderLabs)的创建者有提供下载默认配置,让我们着手行动。
mkdir -p /usr/local/nginx/etc/modsec
wget
https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended \
-O /usr/local/nginx/etc/modsec/modsecurity.conf
cp -p /root/owasp/modsecurity-v3.0.4/unicode.mapping /usr/local/nginx/etc/modsec/unicode.mapping
sed -i 's/^SecRuleEngine.*/SecRuleEngine On/' /usr/local/nginx/etc/modsec/modsecurity.conf
cat < /usr/local/nginx/etc/modsec/main.conf
Include "/usr/local/nginx/etc/modsec/modsecurity.conf"
# Basic test rule
SecRule ARGS:blogtest "@contains test" "id:1111,deny,status:403"
SecRule REQUEST_URI "@beginsWith /admin"
"phase:2,t:lowercase,id:2222,deny,msg:'block admin'"
@EOF
使用ModSec模块配置nginx。
worker_processes 1;
load_module modules/ngx_http_modsecurity_module.so;
load_module modules/ngx_http_geoip2_module.so;
load_module modules/ngx_stream_geoip2_module.so;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
modsecurity on;
modsecurity_rules_file /usr/local/nginx/etc/modsec/main.conf;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
要验证它是否全部损坏,请运行/usr/local/nginx/sbin/nginx -t并确保一切正常。检查ModЅecurity是否适用于:
curl http://localhost/adminaccess403 Forbidden 403 Forbidden
nginx/1.17.8
而/var/log/nginx/error.log文件显示:
2020/02/07 16:04:08 [error] 17871#17871: *3 [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `BeginsWith' with parameter `/admin' against variable `REQUEST_URI' (Value: `/adminaccess' ) [file "/usr/local/nginx/etc/modsec/main.conf"] [line "7"] [id "2222"] [rev ""] [msg "block admin"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "127.0.0.1"] [uri "/adminaccess"] [unique_id "158108784890.091254"] [ref "o0,6v4,12t:lowercase"], client: 127.0.0.1, server: localhost, request: "GET /adminaccess HTTP/1.1", host: "localhost"
差不多好了
此时,ModSecurity正在NGINX上运行,因此所需的就是核心规则集(CRS)。一旦达到这一目标,接下来就轻而易举了。
cd /usr/local/nginx/etc tar -xvf ~/owasp/CRS_v3.2.0.tar.gz ln -s owasp-modsecurity-crs-3.2.0 owasp-crs cp -p /usr/local/nginx/etc/owasp-crs/crs-setup.conf.example /usr/local/nginx/etc/owasp-crs/crs-setup.conf
将这些行添加到: /usr/local/nginx/etc/modsec/main.conf
Include "/usr/local/nginx/etc/owasp-crs/crs-setup.conf" Include "/usr/local/nginx/etc/owasp-crs/rules/*.conf"
还要确保文件/usr/local/nginx/etc/owasp-crs/crs-setup.conf包含以下行
SecDefaultAction "phase:1,log,auditlog,deny,status:403" SecDefaultAction "phase:2,log,auditlog,deny,status:403"
如果curl发出了正常状态,例如, curl http://localhost/trololo_singer.html
这不会触发任何安全规则,并且404会显示一个普通错误:
404 Not Found 404 Not Found
nginx/1.17.8
但是,如果curl命令正在请求一个受保护的文件(如.htaccess文件),则将触发“核心规则集”并发出拒绝访问错误。
403 Forbidden 403 Forbidden
nginx/1.17.8
而/var/log/nginx/error.log文件显示:
2020/02/07 16:17:28 [error] 2724#2724: *8 [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `PmFromFile' with parameter `restricted-files.data' against variable `REQUEST_FILENAME' (Value: `/.htaccess' ) [file "/usr/local/nginx/etc/owasp-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "104"] [id "930130"] [rev ""] [msg "Restricted File Access Attempt"] [data "Matched Data: .htaccess found within REQUEST_FILENAME: /.htaccess"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "127.0.0.1"] [uri "/.htaccess"] [unique_id "15813292242.837003"] [ref "o1,9v4,10t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase"], client: 127.0.0.1, server: localhost, request: "GET /.htaccess HTTP/1.1", host: "localhost"
*参考来源: tonkersten
,Sandra1432编译,转载请注明来自FreeBuf.COM
About The Author
